b'    GENERAL SERVICES ADMINISTRATION\n       OFFICE OF INSPECTOR GENERAL\n                     \xc2\xa0\n\n                                              \xc2\xa0\n                     \xc2\xa0\n                     \xc2\xa0\n\n\nAUDIT SURVEY OF THE HSPD-12 BILLING PROCESS\n      REPORT NUMBER: A100136/Q/F/P11001\n              OCTOBER 27, 2010\n                     \xc2\xa0\n                     \xc2\xa0\n\x0c              u.s. GENERAL SERVICES ADMINISTRATION\n              Office of Inspector General\n\n\nOctober 27,2010\n\n\nMEMORA DUM FOR:              STEVEN 1. KEMPF\n                             COMMISSIONER, FEDERALtyQUISITION SERVICE (Q)\n\nFROM:                        CAROLYN PRESLEY- DOSS          f\\1J1,U        lCM           -JIrYJ\n                             DEPUTY ASSISTANT INSPECTOR GE RAL FOR\n                             FINANCE AND INFORMATION TECHNOLOGY AUDITS (lA-F)\n\nSUBJECT:                     Audit Survey of the HSPD-12 Billing Process\n                             Audit Report Number: AI00136/Q/F/PII001\n\nDuring fiscal year 2010, the Office of Inspector General\'s (OIG) Acquisition Programs Audit\nOffice (lA-A) performed a Review of Controls within the Federal Acquisition Service\'s (FAS)\nOffice of Integrated Technology Services, Office of Infrastructure Optimization\'s Homeland\nSecurity Presidential Directive-I2 (HSPD-12) Program, and identified concerns over the HSPD-12\nbilling process. Consequently, the Finance and Information Technology Audit Office (lA-F) was\nasked to perform additional follow-up work to determine if internal controls over the HSPD-12\nbilling process are adequate and operating effectively. This memorandum presents the results of\nour survey work on our Review ofthe HSPD-12 Billing Process.\n\nObjective. Scope and Methodology\n\nThe objective of the review was to determine if there were any weaknesses in the HSPD-12 billing\nprocess during our period of review.\n\nDuring the Survey Phase, the JA-F reviewed regulations and guidance pertinent to the HSPD-12\nbilling process; contacted and met with appropriate staff to gain an understanding of the process;\ndeveloped a cycle memo and conducted walkthroughs; reviewed Standard Operating Procedures\'\nand reviewed the reconciliation process performed by the Managed Service Office (MSO) and the\nGSA Office of the Controller. The scope of our audit work included HSPD-12 invoices that were\nissued to customer agencies from October 2009 to April 2010. We conducted our survey work\nfrom March 2010 to August 2010. The survey work efforts were perforn1ed in accordance with the\ngenerally accepted government accounting standards (GAGAS) and the survey did not assess the\neffectiveness of the program\'s management control structure.\n\n\n\n\n                            Federal Recycling Program   .3\n                          1800 F Street, NW, WashIngton, DC 20405-0002\n                                                             Printed on Recycled Paper\n\x0cBackground\xc2\xa0\n\nIn April 2007, the MSO entered into a contract with Electronic Data Systems, Inc. (EDS) to\nprovide a shared/central fee-based service of personnel identification management to the federal\ngovernment\xe2\x80\x99s employees and its contractors. The MSO currently has 79 customer agencies within\nthe federal government system, and its core services include the issuance and maintenance of the\nHSPD-12 cards. To participate and receive services under the HSPD-12 program, each customer\nagency is required to sign an Interagency Agreement (IA) with the MSO.\n\nIn addition, the MSO is responsible for processing HSPD-12 customer billings. Specifically, the\nMSO reviews and monitors EDS invoices1; prepares detailed invoices for customer agencies; and\nprepares a monthly Intra-governmental Payment and Collections (IPAC) summary for the GSA\nOffice of the Controller for processing. The Office of the Controller is responsible for processing\nIPAC transactions on behalf of the MSO.\n\n\nHSPD-12 Billing Process\n\nThe billing process begins when the MSO receives invoices from EDS. There are two invoices that\nare sent to the MSO: (1) a public voucher and (2) a detailed billing listing of products and services\nat cost and at markup. Once these invoices are received, the MSO reconciles the detailed listing to\nthe public voucher to ensure that they are mathematically correct and are in agreement.\nFurthermore, the MSO ascertains whether the markup percentages included on the detailed billing\nlisting are correct2.\n\nIf there are discrepancies between the public voucher and the detailed billing listing, the MSO\ncontacts EDS to resolve the discrepancies. If there are no discrepancies, the MSO will modify the\ndata so that the EDS data is compatible with the MSO\xe2\x80\x99s Management Reporting Tool (MRT). The\nbilling data is then uploaded into MRT. Once it is uploaded, the MSO ensures that the markup fees\nare correct.\n\nThe MSO also maintains an internal fund tracking spreadsheet to make sure the customer agency\nhas enough funding available in order to continue receiving services under the program. If the\nfunding level is anticipated to go below 50% within the near future, the MSO will notify the\ncustomer and request additional funding. To obtain additional funding, an addendum to the\nexisting IA will have to be agreed upon, signed, and resubmitted to the MSO.\n1\n    EDS Invoices are billed two months in arrears.\n2\n The MSO informed EDS that it was going to increase its markup percentage; as a result, EDS started to apply the new\nmarkup percentage on their invoices. However, the MSO subsequently decided not to increase the markup percentage,\nand accordingly notified EDS. Although the MSO has made requests to EDS several times to correct the markup\npercentage, as of August 20, 2010, EDS has not taken any action on this matter.\n\n\n                                                         2\n\x0cAfter verifying that the markup fees are correct and the agency has enough funding, the MSO\nutilizes MRT to generate a detailed billing report and forwards it to the appropriate points of\ncontact within the finance and program departments at each customer agency. The MSO also\nprepares a summary of all charges, on a monthly basis, by IA \xe2\x80\x93 an IPAC Summary \xe2\x80\x93 and forwards\nit to the Office of the Controller to be input into the Office of IT Integration Management System\n(OMIS) for processing.\n\nSurvey\xc2\xa0Results\xc2\xa0\xc2\xa0\n\nResults in Brief\n\nOur survey work found weaknesses related to internal controls over the HSPD-12 billing process.\nSpecifically, we noted the following:\n\n    \xe2\x80\xa2 Invoices submitted by the contractor (EDS) do not include the proper markup percentages;\n\n    \xe2\x80\xa2 Separation of duties and routine supervisory reviews could improve the MSO\xe2\x80\x99s billing\n      process; and,\n\n    \xe2\x80\xa2 Instances of insufficient funding to cover HSPD-12 services that were already provided.\n\n\nSurvey Finding #1: Invoices submitted by the HSPD-12 contractor do not include the proper\nmarkup percentages\n\n\nDuring our discussions with MSO personnel, and during our review of invoices submitted by EDS,\nwe noted that the invoices do not include the correct markup percentages. Because the invoices are\nsubmitted to the MSO with the incorrect markup percentages, the MSO\xe2\x80\x99s workload is significantly\nincreased. Therefore, the risk for human-error in the billing process greatly increases as the MSO\nattempts to rectify the issue by adjusting the percentages manually when uploading billing data into\nMRT. According to the contractor\xe2\x80\x99s statement of work, EDS is required to directly invoice GSA\xe2\x80\x99s\nMSO customer agencies for services rendered and to include the successful contractor\xe2\x80\x99s contract\nprice, plus GSA\xe2\x80\x99s indicated markup, on the invoice.\n\nSurvey Finding #2: Separation of duties and routine supervisory reviews could improve the\nMSO\xe2\x80\x99s billing process\n\n\nDuring our survey, we noted that there was only one person, an external contractor hired by the\nMSO, who processed customer billings on behalf of the MSO. Specifically, the external contractor\nwas the only person responsible for receiving EDS invoices; subsequently making standardization\nand compatibility edits; and manually correcting the markup percentages for each customer agency.\n\n                                                 3\n\x0cThe external contractor was also responsible for using MRT to generate invoices which were\nultimately forwarded to the customer agencies. Furthermore, we noted that the supervisor was not\nconsistently involved in reviewing the monthly billings processed by the external contractor on a\nregular basis. Therefore, there is an absence of separation of duties and routine independent (or\nsupervisory) review within the MSO\xe2\x80\x99s HSPD-12 billing process. According to the Government\nAccountability Office\xe2\x80\x99s Standards for Internal Controls in the Federal Government, segregation of\nduties and independent (or supervisory) review are two of the key control activities that help reduce\nthe risk of error or fraud.\n\nSurvey Finding #3: Instances of insufficient funding to cover HSPD-12 services that were\nalready provided\n\nLastly, we noted that there were eight customer agencies that did not have sufficient funding for\nservices they had already received. In these instances, the MSO withheld the bill and did not\nforward the IPAC information to the GSA Office of the Controller for processing until the funding\nbecame available. Consequently, the GSA Office of Controller was not aware of the customer\nagencies that had IAs with insufficient funding.\n\nAdditionally, for one of the aforementioned eight customer agencies, the MSO granted access\nrights3 to its employees without verifying to see if the corresponding IA for the agency was signed.\nIn the case of the other seven customer agencies, the financial addendums (i.e., Interagency\nAgreement Amendments) that were needed to obtain additional funding were not signed in a timely\nmanner (i.e., additional funding was not received before the bill is due for processing in OMIS).\nThe MSO explained that services were provided to the customer agencies that did not have\nadequate funding to prevent suspension of the HSPD-12 card.\n\nMost importantly, we noted that the Office of the Controller did not perform formal and scheduled\nreconciliations between MRT and OMIS. According to the MSO and the Office of the Controller,\nany discrepancies were handled informally for specific IAs, on an as needed basis, during the year.\nHowever, in order to assure better internal control, the Office of the Controller established a\nschedule to perform the reconciliations on a monthly basis starting in June 2010.\n\nConclusion\xc2\xa0\nDuring our survey work, we noted weaknesses in the internal controls over the HSPD-12 billing\nprocess. Specifically, we noted that the contractor hired to provide HSPD-12 services on behalf of\nthe program does not provide billing data with the correct markup percentages. In addition,\nimplementing separation of duties and more consistent supervisory reviews could improve the\nHSPD-12 billing process within the MSO, in addition to formally documented and independently\n\n\n3\n  Access rights granted to employees at customer agencies are for the purposes of processing HSPD-12 access card\nrequests.\n\n\n                                                         4\n\x0creviewed reconciliations. We also noted eight instances in which there was insufficient funding to\ncover HSPD-12 services that were already provided to customer agencies.\n\nBased on our survey work, we concluded that these conditions exist because billing data received\nfrom EDS, the HSPD-12 service provider, is not accurate, and because the MSO does not have\nwritten standard operating procedures for the HSPD-12 billing process. Likewise, at the time of\nour survey, the Office of the Controller did not have any written standard operating procedures for\nthe reconciliations performed between the two systems, MRT and OMIS, used to manage the\nbilling process.\n\nRecommendation\xc2\xa0\nWe recommend that FAS, in conjunction with the MSO and the GSA Office of the Controller,\nwork together to improve the billing process over the HSPD-12 program. Specifically, we\nrecommend that:\n\n   \xe2\x80\xa2   the MSO continues to be assertive in its efforts to insist that EDS update its billing\n       invoicing system to include the proper markup percentages for services provided to\n       customer agencies;\n\n   \xe2\x80\xa2   FAS, the MSO, and the Office of Controller collaboratively ensure that reconciliations are\n       routine, formally documented, and independently reviewed; and,\n\n   \xe2\x80\xa2   the MSO formally document and improve its monitoring procedures for ensuring that\n       sufficient funding is secured (available) for customer agencies prior to services being\n       provided.\n\nBy addressing these areas of concern, management can further ensure a more efficient and effective\nHSPD-12 billing process.\n\nManagement\xe2\x80\x99s\xc2\xa0Response\xc2\xa0\nIn a response dated October 8, 2010, FAS stated its concurrence with the three recommendations\nissued by the OIG, and will begin creating action plans to address the recommendations.\nManagement\xe2\x80\x99s written comments to the draft report are included in Appendix A.\n\nManagement\xc2\xa0Controls\xc2\xa0\nThe objective of our survey work was to determine if there were any weaknesses in the HSPD-12\nbilling process during our period of review. As part of our survey, we determined that internal\ncontrols over the HSPD-12 billing process could be improved.              We have included\nrecommendations in this report to address identified control issues.\n\n\n\n\n                                                5\n\x0cWe would like to thank FAS for the courtesies extended to us during our review. If you have any\nquestions regarding this report, please do not hesitate to call Porsha Pickett-Brower or me, at 202-\n357-3620.\n\n\n\n\nJ~~Y_D~~J~\nDeputy Assistant Inspector General for\nFinance and Information Technology Audits (lA-F)\n\n\n\n\n                                                 6\n\x0c                          APPENDIX A - MANAGEMENT\'S RESPONSE\n\n\n\n                                                             GSA Federal Acquisition Service\n\n\n\n\nOctober 8,2010\n\n\nMEMORANDUM FOR:             JEFFREY C. WOMACK\n                            DEPUTY ASSISTANT INSPECTOR GENERAL\n                            FOR FINANCE AND ADMINISTRATIVE AUDIT OFFICE\n                            (JA-F)\n\nFROM:                       STEVEN J. KEMPF\n                            COMMISSIONER\n                            FEDERAL ACQUISITION SER\n\nSUBJECT:                    GSA Draft Report, "Audit Survey of the HSPD-12 Billing\n                            Process" (Report Number A100136), dated October 7,2010\n\n\n\nThank you for the opportunity to provide comments on the discussion draft, and for\ntaking our comments into consideration when publishing your draft report. FAS concurs\nwith the three recommendations and will begin creating action plans to address the\nrecommendations. Concurrences are included in the official file or by the\ncorrespondence received from the program offices which are attached to the official file.\n\nPlease call me at (703) 605-5400 if you have any questions. Your staff may contact\nKirk Martinelli at (703) 605-5432 or kirk.martinelli@gsa.gov for additional information.\n\n\ncc:   Mr. Theodore R. Stehney\n      Assistant Inspector General\n      for Auditing (JA)\n\n\n\n\n                                                              U.S. General Services Administration\n                                                              2200 Crystal Drive\n                                         A-1                  Arlington, VA 20406-0003\n                                                              WWW.gsa.gov\n\x0c                       APPENDIX A \xe2\x80\x93 MANAGEMENT\xe2\x80\x99S RESPONSE\n\n  Federal Acquisition Service Comments on the OIG Draft Report: \xe2\x80\x9cAudit Survey of the\n                          HSPD-12 Billing Process\xe2\x80\x9d (A100136)\n\n\n\nGeneral Comments\n\n\nSince inception of the program, and based on lessons learned in the newly established\nbusiness process, the FAS MSO has consistently reviewed and modified policies and\nprocedures on an ongoing basis. The modifications have led to the tightening of existing, as\nwell as the establishment of new internal controls. The FAS MSO, in conjunction with the Office\nof the Controller, has established standard operating procedures for the reconciliation of the\nMRT and OMIS systems used to support the billing process. This reconciliation was required to\nbe done semi-annually by the GSA Chief Financial Officer; however, the FAS MSO and the\nOffice of the Controller have elected to perform this operation on a monthly basis.\n\nIn addition, in recognition of the OIG recommendation, the FAS MSO has established a formal\nprocess for the independent review of the monthly billing before submission to the Office of the\nController for processing.\n\nRecommendation No. 1\nThe MSO continue to be assertive in its efforts to insist that EDS update its billing\ninvoicing system to include the proper markup percentage for services provided to\ncustomer agencies.\n\nFAS concurs.\n\n\n\nRecommendation No. 2\nFAS, the MSO, and the Office of the Controller collaboratively ensure that reconciliations\nare routine, formally documented, and independently reviewed.\n\nFAS concurs.\n\n\n\nRecommendation No. 3\nThe MSO formally document and improve its monitoring procedures for ensuring the\nsufficient funding is secured (available) for customer agencies prior to services being\nprovided.\n\nFAS concurs.\n\n\n\n\n                                              A-2\n\x0c                 AUDIT SURVEY OF THE HSPD-12 BILLING PROCESS\n                       REPORT NUMBER: A100136/Q/F/P10001\n\n\n\n                           APPENDIX B - REPORT DISTRIBUTION\n\n\n                                                                   Copies\n\nCommissioner, Federal Acquisition Service (Q)                      3\n\nInternal Control and Audit Division (BEI)                          1\n\nInspector General, Office of the Inspector General (J)             1\n\nDeputy Inspector General, Office of the Inspector General (JD)     1\n\nAssistant Inspector General for Auditing (JA)                      1\n\nDirector, Audit Planning, Policy and Operations Staff (JAO)        1\n\nAssistant Inspector General for Investigations (JI)                1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A)   1\n\n\n\n\n                                                B-1\n\x0c'